Sponsored by..

Thursday, 8 March 2018

I see a lot of "fake boss" fraud emails in my day job, but it's rare that I see them sent to my personal email address. These four emails all look like fake boss fraud emails, but there's something more going on here.

I will send the рapеrwork onсе i'll sort out mу stuff.
Lеаve а reрly once donе or if you gеt аny рroblem whilе setting it up.

Rеgards
Andrea [Redacted]

Sent from mу iPhone.

"Andrea" and "Ravi" are not random people, they are both directors of a legitimate company with a name very similar (but unconnected) with one I blogged about years ago. In $dayjob the sample email I saw was from that company's chief counsel, so I believe these are targeted but just incorrect.

Normally with this sort of scam, the "boss" is asking for payment to be wired to the bank details in the email. But in this case, the sort codes for the banks (30-62-12, 30-61-10 and 30-62-15) don't exist. If you tried to wire money to them, the transfer would fail.

So, presumably when the bank transfer fails, the victim emails back the "fake boss", but it isn't all it seems. Although the "From" address looks to be genuine, there's a "Reply-To" address which goes to something a but more subtle.

For example in one of the examples about the email appears to come from andrea@victimdomain.com (i.e. whatever the victim's genuine domain is) but replies go back to something similar but different, for example andrea@victimdomain.com-v.eu - at which point the fraudsters probably then come up with different bank account details.

At the moment the email replies go to a server at 185.235.131.65 (hostname uk-v.eu) in the Netherlands, but these domains and servers get shut down quickly.

This variation of an old scam seems to be quite new. Remember, if your boss emails you out of the blue and asks you to set up a payment without giving much information, always check that the request is valid and don't simply reply to the email.

I will forward the docs onсe i'll sort out my stuff.Lеаve a rеply once completed or in cаse уou get аny problеm while setting it uр.

RegаrdsAndreа [redacted]

Sеnt from mу iPhonе.

What I hadn't noticed before is that the spam is using homoglyphs in the text to avoid filters. For example, the word "pаymеnt" in the email above does not acutally say "payment", but it uses a couple of cyrillic (i.e. Russian) characters in place of the "a" and "e" that just look the same.

For the latest spam messages, the email relays through various hosts but always seems to originate from 91.243.80.176 (hostname: lmasko22.example.com). As with the other infrastructure this belongs to a company called MoreneHost in Russia.

Monday, 15 January 2018

Swisscoin is a fairly low-volume self-styled cryptocurrency that has been the target of a Necurs-based spam run starting on Saturday 13th January, and increasing in volume to huge levels on Monday.

From: Florine Fray [Fray.419@redacted.tld]Date: 15 January 2018 at 10:51Subject: Could this digital currency actually make you a millionaire?

Every once in a while, an opportunity comes around. What divides winners from losers is those who seize it and those who don't. By now, you must have heard about all the people who made a killing with bitcoin over the last year. Some of them made more than ten million with just an initial purchase of a thousand bucks. What I want to ask you though is: Did you know that there are hundreds of other digital currencies that have had even bigger gains over the last twelve months? This includes Ripple, Ethereum and Raiblocks – you may have heard about some of them. What is the next big one for 2018? The answer in my opinion is simple. It's Swisscoin [SIC]. The reason for that is very straight forward. It's because it is supported by the Switzerland government. It is already considered as legal in the country and it is entirely shielded from any political instability. It's the type of coin that you can buy a thousand bucks of, and sit on for a few months or even years and that few thousand will likely be worth a few million. SIC has already doubled in value since Saturday and it will double or triple again by this Friday. So, what are you waiting for? For the time being it can only be purchased on /coinexchange [dot] io/ (that's the website address of the exchange). You can set up an account in about thirty seconds, then you send bitcoins to it and you can easily buy swiss coin. If you don't have any bitcoin already you can just google how to get some, it's super simple and will just take you 10 minutes at most, then transfer them to coinexchange's website and get the SIC

----------------

From: Jeffry Looper [Looper63@redacted.tld]Date: 13 January 2018 at 18:42Subject: This crypto coin could go up fifty thousand percent this year

Dear [redacted],

If you don't already own a few coins of something, then surely at the very least, you must have heard about cryptocurrencies.

Bitcoin, the most famous one, minted countless multimillionaires but did you know that altcoins (bitcoin alternatives) are responsible for even more riches?

Among the "big" ones, NEM went up almost 10,000 percent and Ethereum, more than 4,000 percent

Among the small and unknown ones several gained more than 50,000 percent.

To put this in perspective, a small 1,000-dollar coin purchase in one of these small ones could have turned into more than 50 million bucks.

Raiblocks, a relatively obscure coin at the time, went from 0.20 on December first to $20 by New Year's Eve. It is now in the top 20 largest coins in the world.

All that to say, the next big winner could be found anywhere, and today I believe I've identified the next one.

After spending hundreds of hours looking at hundreds of different coins, I locked down on one specific target.

Swisscoin.

As the name says, this is a coin created and headquartered in Switzerland. It is one of the only coins in the world recognized as legal tender by the government.

Swisscoin is allowed by the Swiss government and has the potential to climb more than 5,000% before the end of January and more than 50,000% before the end of this year.

This is one of those rare buy-and-hold coins which you WANT to own, and hang onto for the long term, much like those people who bought bitcoin at $1 and kept it for 3 years. FYI, bitcoin is trading at $14,000 now. That's an increase of over 1 million percent.

I recommend you consider putting at least a thousand bucks in Swisscoin immediately. This could quickly turn into enough money to buy a new house, or at the very least a new car.

For those of you who already have bitcoins, all you need to do is open an account at coinexchange.io (this is the url/website, and it takes 1 minute to get setup), transfer some btc to your new account and buy SIC (Swisscoin).

For those of you who are still clueless about Cryptos, the process will be a little bit longer but well worth it.

Open an account at a large exchange such as Coinbase dot com or Coinmama dot com, then add some fund using your credit/debit card or Paypal.

That's the fastest way, but you will be limited to a few hundred bucks at most. It should be enough to get you quickly started but consider adding more funds using a bank transfer so that you can really have skin in the game.

Remember, every thousand bucks of SIC you buy today could easily turn into 500,000 by this time next year.

----------------

From: Justine Mcfall [Mcfall0748@redacted.tld]Date: 14 January 2018 at 16:42Subject: Let me tell you about one crypto currency that could turn 1000 bucks into 1 million

If you took a chance on bitcoin early on, just a few years ago, your investment could have paid off in a big way.
According to digital-currency website CoinDesk the value of bitcoins was volatile at the beginning.

It was possible to purchase a single bitcoin for just a few cents. Had you bought just a thousand bucks' worth you would be sitting on millions right now.

Want to know what's even crazier? These types of returns have been replicated hundreds of times over so many different alternative coins and it continue happening all the time.

The trick is to buy into a coin very early on before the crowds notice it.

My research shows that Swisscoin (SIC) is going to be the next big one to blow up this year. It has already doubled since yesterday and as the trend continues it could be 10 times as high before the end of the coming week.

Swisscoin is one of the only coins approved by the government in Switzerland. It is 100% legal and useable in everyday life.

Switzerland's Swiss Franc has been one of the most stable and best performing currencies throughout history and Swisscoin aims to replicate this standard with the digital coin.

Could you turn a thousand bucks into a million before the end of 2018 with SIC? The answer is a clear yes.

For the time being SIC only trades on one exchange: coinexchange.io so you need to open an account there (takes about thirty seconds), and transfer bitcoin to it so you can make the purchase.

If you don't own any digital currency yet then you need to open an account at coinbase or coinmama and buy some btc (bitcoin) with your credit or debit card or bank account.

After you get bitcoins, just follow the instructions in the above paragraph.

One thing is for sure, you definitely don't want to miss out on Swisscoin.

Swisscoin trading was recently suspended and only started up again a few days ago. The chart at World Coin Index shows that this has been a real rollercoaster ride.

There are questions as to whether Swisscoin is actually a cryptocurrency or a Ponzi scheme. Honestly, I don't know and I'd advise you to do your own research. However, this has all the markings of a pump-and-dump scheme, so it's quite possible that someone who bought Swisscoins at their peak wants to pump the price up so they can sell off their holdings. Given that the spam is being sent out from a network of hacked machines and does not comply with anti-spam laws, you can pretty much guarantee that this is not legitimate and should be avoided.

UPDATE: a subsequent spam run looks like this:

From: Trenton Manners [Manners.491@redacted.tld]Date: 15 January 2018 at 18:42Subject: Forget about bitcoin, there's a way better coin you can buy.

It's probably not news to you at this point if I tell you that bitcoin has made tons of people tons of money. Something else you probably already know is that it will never go up like crazy again. Its time to shine is long gone. That's why we must look into what the next big thing is, and the truth is that there have been plenty over the last few months. Can you jump on the next huge one before it soars? Swiss coin {SIC} is the most likely candidate for a fifty thousand percent return this year. It has the support of the Switzerland government. It is already considered as legal in the country. It's the type of coin that you can buy a thousand bucks of right now, sit on for a small period of time and you could make out crazy wealthy when all is said and done. SIC has already doubled since Saturday. This long Martin Luther King weekend could bring you even more upside if you act quickly. For those of you who know what this means… you can get it for under 50 satoshi right now. And if you have no clue what this means, it basically means that you can get in on the ground floor How do you get some? You just need an account at coinexchange. Read the currency's official page to find out more info: https://swisscoin.eu/sic-deposits.html

I
sincerely anticipate that I will not hurt ur feelings. Shit happens, life
didn’t give me a choice. I don’t hate people with special
tastes, moreover only God can judge u. So:

Firstly, I put the
particular virus on a web site with porn videos (I think you understood
me).

Secondly, when you tapped on a video, soft instantly
started working, all cams turned on and screen started recording, then my
soft collected all contacts from emails, messengers etc. Im really proud
for this soft, it makes devices act as remote desktop with keylogger
function, impressive. This email address Ive collected from your device, I
emailed u here because I think you will 100% going to check your
corporative email.

Eventually, I edited a split screen video,
with your participation and porn video from your screen, its very weird.
Consequently, I can share this video with all your friends, colleagues,
relatives etc. I guess it’s a big problem for you.

But
we can resolve this problem. 305 Usd- in my opinion, very common cost for
false like this.

I accept only bitcoin, this is my
wallet’s address- 16Q65ck9Uikr2z1N4wTPG5H7ZgkmLSzDeY U
have 45 hours after opening my letter to make transaction. I will see when
u read this letter, I adjusted special tracking pixel in it. This time is
sufficiently only to complete all verifications and transaction, so you
have to think rapidly. If I wont get my «wage», I will share
this video with all contact Ive received from ur device.

You
can complain to cops for a help, but they wont search out me for even 150
hours, Im from Japan, so think twice. If Ill receive btc- all compromising
evidence will be erased forever and I will never message you again.

U can reply, but this Will not make sense, I sent you this
notification using my soft for anonymous messages, I don’t check the
email after using it, because I contemplate about my safety too. Have a
nice day, I hope u will make a good decision for you.

If you got one of these, the first thing to realise is that it is bullshit. This particular one was sent to the contact@ address of a random domain I own. You note there are no personal details in the email, and furthermore the claim that there's a tracking pixel in the email can easily be refuted by checking the HTML of the message itself.

The "from" address in the email is bill@adulthehappytimes.com and this matches the name of the sending email server, mta11.adulthehappytimes.com on 188.225.9.190

You might notice it says mta11 - indeed adulthehappytimes.com seems to have subdomains mta.adulthehappytimes.com through mta15.adulthehappytimes.com some of which are hosted at Heroku / AWS, but the ones that aren't are on the following IPs:

5.23.49.1675.23.49.18092.53.124.50176.57.214.134176.57.214.240176.57.217.49176.57.217.55176.57.217.167176.57.217.225188.225.9.190188.225.9.215
All of those belong to TimeWeb in Russia. The domain itself is also hosted on 5.23.49.180 (mta1.adulthehappytimes.com) but it appears to be parked. However, however controls this domain has gone to the effort of setting up 16 different mail servers. The WHOIS details show that the domain is actually ten years old..

Every Sheets of paper is made from a tree.. Save trees... Conserve Trees.... Go Green .... Don't print this email or any Files unless you really need to!!!!Confidentiality Notice

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Bharat Electronics or support@bel.co.in immediately and destroy all copies of this message and any attachments.

Attached is a file Purchase order comfirmation.doc.z which contains a malicious executable Purchase order comfirmation.exe which currently has a detection rate of 12/66. It looks like the archive type does not actually match the extension..

If the intended target hides file extensions then it is easy to see how they could be fooled..

Anyway, if you are not interested in sending traffic to Iran, Mizban Web Paytakht own AS64428 which comprises of 185.165.40.0/22 as well. I'll make a guess that the 188.165.162.200/29 range
may be insecure and could be worth blocking.

The email itself originates from 104.171.114.204 which is allocated as follows:

Our football academy are currently scouting for young football player to participate in 3-6 months training and our main purpose is to recruit young and talented footballers to help become a great football player in Life and become a great star . Our agent will train and linked your child up with big clubs in United Kingdom and Europe.

We will also help your child to get Visa and Work Permit once the admission into our football academy is approved.

Our aim is to provide a wide range of opportunities to complement a successful playing career. We will help your child to find the best route to fulfilling their ambitions of becoming a professional footballer in United Kingdom and Europe.

If you want to help your child achieve their soccer dream, reply us for more information.Best Regards,CFAA.

At the time of writing the domain sargas-tm.eu does not exist, but the Reply-To address is actually info@champ-footballacademyagency.co.uk which is a registered domain. The WHOIS details for this say:

There are lots of suspect things about this domain registration - the address is clearly fake, the registrar is based in South Africa and the nameservers are in Russia, and also it was registered just a few weeks ago. A quick bit of Googling around shows that "Nelson Ozi" is also linked to the following probably fraudulent domains:

svbfib.comsvbfibem.comglobalcreditsus.com

These all seem to be connected with an IP range 169.255.59.0/24 (Web4Africa again) which does seem to have a lot of scammy sites hosted on it. Blocking access to that range might be prudent.

The spam email itself comes via another Russian server mail.elmeh.ru but this particular email originated from 103.207.37.101 in Vietnam. Replies to the champ-footballacademyagency.co.uk email would be set to mx.yandex.net which is in Russia again.

It would probably be quite difficult to stuff any more dodgy indicators into this spam. What the scam actually is isn't 100% clear, it could be anything from a simple advanced fee fraud all the way up to child abduction. Avoid.

All these recent attacks have used .7z archive files which would require 7zip or a compatible program to unarchive. Most decent mail filtering tools should be able to block or strip this extension, more clever ones would be able to determine that there is a .vbs script in there and block on that too.

UPDATE

A more complete list of download locations from a trusted source (thank you!)

The number referenced in the spam varies, but attached is a .7z archive file with a matching filename. In turn, this contains one of a number of malicious VBS scripts (like this) that download an executable from one of the following locations (thanks to a trusted source for these):

We want to use this opportunity to first say "Thank you very much for your purchase!"

Attached to this email you will find your invoice.

Kindest of regards,
your Amazon Marketplace

==

[commMgrHmdToken:EVDOOCETFBECA]

------------- End message -------------

For Your Information: To help arbitrate disputes and preserve trust and safety, we
retain all messages buyers and sellers send through Amazon.co.uk. This includes your
response to the message below. For your protection we recommend that you only
communicate with buyers and sellers using this method.

We want you to buy with confidence whenever you purchase products on Amazon.co.uk.
Learn more about Safe Online Shopping
(http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=11081621) and our safe
buying guarantee
(http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=3149571).

[commMgrTok:EVDOOCETFBECA]

Attached is a .7z archive file with a name that matches the one quoted in the subject line. So far I have seen just two versions of this, each containing a malicious script (sample here and here). These scripts have a detection rate of about 13/58 and they can been seen attempted to download a component from:

An executable is dropped (Locky ransomware) with a detection rate of 18/64. Although Hybrid Analysis [1][2] clearly shows the ransomware, no C2s are currently available (it turns out there aren't any).

Monday, 18 September 2017

Could you please let me know the status of the attached invoice? I
appreciate your help!

Best regards,

Rosella Setter

Tel: 206-575-8068 x 100

Fax: 206-575-8094

*NEW* Ordering@[redacted].com

* Kindly note we will be closed Monday in observance of Labor Day *

The name of the sender varies. Attached is a .7z arhive file with a name similar to A2174744-06.7z which contains in turn a malicious .vbs script with a random number for a filename (examples here and here).

Automated analysis of those two samples [1][2][3][4] show this is Locky ransomware. Those two scripts attempt to download a component from:

Wednesday, 6 September 2017

This spam email appears to be sent by the Necurs botnet, advertising a new Bitcoin-like cryptocurrency called QTUM. Necurs is often used to pump malware, pharma and data spam and sometimes stock pump and dump.

There is no guarantee that this is actually being sent by the people running QTUM, it could simply be a Joe Job to disrupt operations. Given some of the wording alluding to illegal marketplaces, I suspect this could be the case.

The Blockchain Made Ready for BusinessBuild Anonymous Decentralized Applications that Simply WorkExecutable on mobile devices, compatible with major existing blockchainecosystemsTESTNET NOW LIVE!

About

The Qtum Foundation is a Singapore based entity that promotesadoption of the Qtum Blockchain. Project inception began inMarch 2016, leading up to a successful crowdsale a year later.Over 10,000 BTC and 72,000 ETH were raised in less than 5 days,making Qtum one of the largest crowdfunded projects in history,at $15.6 million dollars.

Investors received 51,000,000 Qtum tokens which will beavailable for withdrawal on September 13, 2017.

Smart Contracts that Mean BusinessQtum makes it easier than ever for established sectors andlegacy institutions to interface with blockchain technology.Create your own tokens, automate supply chain management andengage in self-executing agreements in a standardizedenvironment, verified and tested for stability.

Sparknet is designed primarily for developers, and as suchdocumentation at this point will be technical and suited morefor developers. Testnet tokens do not hold any value and shouldnot be traded for any monetary instruments. The testnet can bereset or forked at anytime as deemed necessary for development.

Qtum Skynet, the second public testnet for the Qtum blockchain.All tokens aqcuired during the testnet will cease to exist when the mainnet is released which actually has tokens whichhold value. The purpose of the public testnet is to allowdevelopers to begin testing and developing applications, allowearly adopters to see a preview of how the network will behave,and for the Qtum development team to run several load testswhich are not directly comparable when done on a private andcontrolled network. Qtum Skynet will ideally have the sameconsensus features and parameters as the Qtum mainnet.

As soon as Main Network will be launched, you will be availaibleto build your own applications (DApps) or marketplaces. Fullyscalable and anonymous, so you can easy made any anonymousmarketplace which can be manage from your phone!

Just imagine, your own silkroad made on Qtum blockchain andmanaged from your phone with fully anonymous transactions!

No matter what kind of business you are building, alltransactions will be anonymous, and the network will neverreveal the ip addresses of the applications that are runningon it.

Even if you sell weapons, drugs, trade in people and aregoing to organize a coup d'?tat, you can be sure that youwill remain anonymous.

Another thing is that it is illegal and sooner or later youwill receive the punishment that you deserve. But everyonewant to know how deep the rabbit hole goes.

For our part, we can only provide a reliable, scalable andanonymous ecosystem thanks to which any business can bebuilt on it and we guarantee that we will do everythingpossible to make it sucesfull.

We give you a choice - "blue pill or red pill"

What Will your choice be?

So, you have to prepare for Main Network launch Qtum CustomToken Walkthrough

CROWDSALE

The QTUM token supply will be allocated as follows:

- 51% of Qtum tokens (51,000,000) will be distributedthrough the crowdsale - 20% of Qtum tokens (20,000,000 QTUM) will be distributedamong founders, early backers and the development team - 29% of Qtum tokens (29,000,000 QTUM) will be allocated tocommunity initiatives concerning business development, as well as academic research, education, and market expansion

For a more detailed overview of QTUM token allocation visit ourwebsite: https://qtum.org/en/crowdsale#question-2

Tuesday, 5 September 2017

This spam email pretends to be from tayloredgroup.co.uk but it is just a simple forgery leading to Locky ransomware. There is both a malicious attachment and link in the body text. The name of the sender varies.

Taylored Financial Planning is a trading style of Jonathan & CaroleTaylor who are an appointed representative of Caerus Financial Limited,Building 120, Windmill Hill Business Park, Swindon, SN5 6NX which is authorisedand regulated by the Financial Conduct Authority.

Email communications are not secure, for this reason TayloredFinancial Planning cannot guarantee the security of the email or its contents orthat it remains virus free once sent. This email message is strictlyconfidential and intended solely for the person or organisation to who it isaddressed. It may contain privileged and confidential information and if you arenot the recipient, you must not copy, distribute or take any action inreference to it. If you have received this email in error, please notify us assoon as possible and delete the message from your system.

Despite having what appears to be a Dropbox URL, the link actually goes to another site completely and downloads a .7z archive file containing a malicious VBS script. Attached is another .7z archive file with a slightly different evil VBS script inside.

Detection rates for the scripts are about 13/58 [1][2]. Automated analysis [3][4][5][6] shows Locky ransomware attempting to phone home to the following locations:

just wanted to let you know you were just left a 0:13 long message (number 18538124076)in mailbox 185381240761 from "18538124076" <6641063681>, on Fri, 25 Aug 201714:36:41 +0300so you might want to check it when you get a chance. Thanks!

--Voicemail Service

Attached is a RAR file containing a malicious VBS script. The scripts are all slightly different, meaning that the RARs are too. These are the MD5s I've seen so far for the RAR files themselves:

The VBS script is similar to this (variable names seem to change mostly) with a detection rate of about 15/59. Hybrid Analysis shows it dropping a Locky executable with a 18/65 detection rate which phones home to 46.17.44.153/imageload.cgi (Baxnet, Russia) which I recommend that you block.

Please note: There is no unsubscribe option on this email, as it is a servicemessage, not a marketing communication. This email was sent from an address thatcannot accept replies. Please use the contact details above if you need to get intouch with us.

The link in the email downloads a malicious RAR file. The samples I saw were closely clustered alphabetically.

Your bill amount is: $106.84This doesn't include any amounts brought forward from any other bills.

We've put your latest BT bill for you to view. See your bill here

We'll take your payment from your account as usual by Direct Debit.

Reduce paper wasteYou're still getting paper bills by post. Why not go paper-free, and stop storing and shredding them once and for all?

Need some help?Go to www.bt.com/business/support.

Thanks for choosing BT.

Robena MorathCEO, BT Business

Payment processing fee: BT Payment Services Ltd, a BT Group Company, charges this fee.This or confidential. It's meant only for the individual(s) email contains BT information, which may be privileged or entity named above. If you're not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited. If you've received this email in error, please let me know immediately on the email address above. Thank you. We monitor our email system, and may record your emails.

And a simpler one..

From: Dianna Mcgrew Date: 24 August 2017 at 14:50Subject: Bill-9835

Hi,

Here is a copy of your bill.

Thank you & have a great weekend!

Most (but not all) of the samples I have seen then lead to a single website to download the malicious payload, for example:

Downloads from this site can be a bit slow, unsurprisingly. The dropped EXE seems to be Locky ransomware with a detection rate of 19/65. Hybrid Analysis shows the sample POSTing to 185.179.190.31/imageload.cgi(Webhost LLC, Russia)

If you have any further questions regarding your invoice, please call Customer Service.

Please do not reply directly to this automatically generated e-mail message.

Thank you.Customer Service Department

A link in the email downloads a malicious VBS script, and because it's quite late I'll just say that Hybrid Analysis has seen it all before. The download EXE (VT 21/64) script POSTS to 5.196.99.239/imageload.cgi (Just Hosting, Russia) which is in a network block that also had a fair bit of Angler last year, so I would recommend blocking all traffic to 5.196.99.0/24.

Both download locations of tyytrddofjrntions.net and mjhsdgc872bf432rdf.net are hosted on 119.28.100.249 (Tencent, CN). This same IP was seen in this other recent spam run. Both the RAR and ZIP downloads (detection rate about 18/59 [1][2]) contain the same malicious VBS script [pastebin]. The script tries to download an additional component from one of the following locations:

just wanted to let you know you were just left a 0:53 long message (number 46)
in mailbox 461 from "460GOFEDEX" <8476446077>, on Tue, 22 Aug 2017 17:37:58 +0800
so you might want to check it when you get a chance. Thanks!

--Voicemail Service

The numbers and details vary from message to message, however the format is always the same. Attached is a RAR file with a name similar to msg0631.rar which contains a malicious script named msg6355.js that looks like this [pastebin]. The script has a VirusTotal detection rate of 14/59.

According to automated analysis [1][2] the script reaches out to the following URLs:

In these two samples there is an attached .7z archive (MD5 31c144629bfdc6c8011c492e06fe914d) with a VirusTotal detection rate of 18/58. Both samples contained a malicious Javascript named 20170821_08914700.js that looks like this [pastebin].

Automated analysis [1][2] shows a download from the following locations:

Wednesday, 19 July 2017

Yesterday I saw a series spam emails from Necurs apparently attempting to collect replies to super.testtesttest2018@yahoo.com. Although that campaign is continuing today, a new spam run with similar characteristics has started this morning. For example:

Subject, body text and vendor seem to be randomly generated. But in all cases, the Reply-To address is avto111222@bigmir.net (Bigmir is basically a Ukrainian version of Yahoo from what I can tell).

The purpose of this spam run is unclear, but spammers do sometimes launch probing attacks to see what kind of response they get from servers. This could be an attempt to clean up the Necurs email address database perhaps, perhaps for resale.